Cloud services are about to get (a lot) more expensive in Europe

Data protection laws in Europe are already quite stringent – which is why the Safe Harbor agreement with the US collapsed so spectacularly. However new regulations that come into force in May 2018 are set to change everything – again.

Currently, the business who “owns” personal information - known as the “Controller” - carries the responsibility for protecting it. Whether that information is stored onsite or in the cloud, the Controller is held to account when something goes wrong.

Under the new General Data Protection Regulations (GDPR), Cloud providers will be classified as “Processors”, increasing their level of responsibility for protecting personal information held by clients using their services. Even if they never access or use that data, cloud providers will bear similar responsibilities as their clients who “own” it.

Both parties will share responsibility in a data loss event that exposes customers’ personal information. Firms could be fined up to 4% of annual global turnover, or €20 million, whichever is higher.

A change that affects all contracts

When the new regulations come into force, they will override all previous legislation and apply to all service contracts – even those signed before the go-live date. Businesses and their Cloud providers will almost certainly need to draw up new agreements that address the changes required by GDPR.

The increased level of responsibility for protecting data and proving compliance is sure to add to every Cloud provider’s costs. It is extremely likely that subscription fees will increase (perhaps significantly) to cover the cost of upgrading systems and safeguards in the providers’ data centers.

Smaller providers are widely expected to suffer as a result of the new legislation, unable to invest the funds required to improve their provisions. Even those that use services from large players like Microsoft and Amazon will have problems, as they renegotiate GDPR-compliant contracts. Every part of their service will need to have a standard GDPR provision – including those aspects that are owned and maintained by third parties.

The reality is that enterprises reliant on Cloud services in Europe need to re-evaluate their contracts and provisions now so they have enough time to plan contingencies. Even businesses based in the UK will need to consider their options carefully – there is a good chance that the GDPR will come into force before Brexit completes.

It could be that the uplift in pricing, and the increase in contractual complexity, will increase construction and adoption of private Cloud platforms – if only to simplify the compliance process and allow the CIO to retain complete control of the corporate computing environment.

CDS remains of the opinion that private Cloud platforms built using Software Defined Storage (SDS) and vendor-agnostic hardware infrastructure remain your company’s best bet for minimising the uncertainties of Cloud services and data sovereignty issues.

To learn more about why we think this, and how we can help your business achieve more with SDS, please get in touch